Cyber Resilience

CVE-2025-0074

Critical

Published: 26 August 2025

Published
26 August 2025
Modified
02 September 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0178 83.1th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0074 is a critical-severity Use After Free (CWE-416) vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-0074 is a use-after-free vulnerability (CWE-416) in the function process_service_attr_rsp within sdp_discovery.cc of the Android Bluetooth module. The flaw resides in the Bluetooth stack shipped in Android and permits arbitrary code execution when processing service attribute responses during SDP discovery.

An unauthenticated remote attacker can trigger the condition over the network with no user interaction or additional privileges required, resulting in remote code execution that grants full control over the affected process and potentially the device.

The Android security bulletin dated 2025-03-01 and the associated patch at https://android.googlesource.com/platform/packages/modules/Bluetooth/+/37bcf769c1aa8dfa8e5524858d47f6a80b765fa4 address the issue through source-level remediation; operators should apply the March 2025 Android security update or later. The EPSS score has remained flat at 0.0178 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

In process_service_attr_rsp of sdp_discovery.cc, there is a possible way to execute arbitrary code due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Use-after-free in Bluetooth SDP handler directly enables unauthenticated remote code execution over a network protocol with no user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-0084Same product: Google Android
CVE-2025-22408Same product: Google Android
CVE-2025-22403Same product: Google Android
CVE-2024-40651Same product: Google Android
CVE-2025-22411Same product: Google Android
CVE-2024-40649Same product: Google Android
CVE-2025-22410Same product: Google Android
CVE-2025-0075Same product: Google Android
CVE-2025-48543Same product: Google Android
CVE-2024-40669Same product: Google Android

Affected Assets

google
android
15.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the use-after-free vulnerability by requiring timely identification, reporting, and application of the specific upstream patch for the Bluetooth SDP processing flaw.

prevent

Implements memory protection mechanisms such as address space randomization and non-executable memory that defend against exploitation of the use-after-free in sdp_discovery.cc.

prevent

Authorizes and controls wireless Bluetooth access to limit exposure to remote crafted SDP discovery response packets that trigger the vulnerability.

References